Skip to content

Commit b218606

Browse files
committed
Bluetooth: hci_sock: Fix not validating setsockopt user input
Check user input length before copying data. Fixes: 09572fc ("Bluetooth: hci_sock: Add support for BT_{SND,RCV}BUF") Signed-off-by: Luiz Augusto von Dentz <[email protected]>
1 parent 9e8742c commit b218606

File tree

1 file changed

+8
-13
lines changed

1 file changed

+8
-13
lines changed

net/bluetooth/hci_sock.c

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1946,10 +1946,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
19461946

19471947
switch (optname) {
19481948
case HCI_DATA_DIR:
1949-
if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
1950-
err = -EFAULT;
1949+
err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
1950+
if (err)
19511951
break;
1952-
}
19531952

19541953
if (opt)
19551954
hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
@@ -1958,10 +1957,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
19581957
break;
19591958

19601959
case HCI_TIME_STAMP:
1961-
if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
1962-
err = -EFAULT;
1960+
err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
1961+
if (err)
19631962
break;
1964-
}
19651963

19661964
if (opt)
19671965
hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
@@ -1979,11 +1977,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
19791977
uf.event_mask[1] = *((u32 *) f->event_mask + 1);
19801978
}
19811979

1982-
len = min_t(unsigned int, len, sizeof(uf));
1983-
if (copy_from_sockptr(&uf, optval, len)) {
1984-
err = -EFAULT;
1980+
err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len);
1981+
if (err)
19851982
break;
1986-
}
19871983

19881984
if (!capable(CAP_NET_RAW)) {
19891985
uf.type_mask &= hci_sec_filter.type_mask;
@@ -2042,10 +2038,9 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
20422038
goto done;
20432039
}
20442040

2045-
if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
2046-
err = -EFAULT;
2041+
err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
2042+
if (err)
20472043
break;
2048-
}
20492044

20502045
hci_pi(sk)->mtu = opt;
20512046
break;

0 commit comments

Comments
 (0)